[OPENAM-8659] JSON REST authenticate endpoint doesn't check validity of sessionUpgradeSSOTokenId before returning authId Created: 04/Apr/16  Updated: 20/Nov/16  Resolved: 27/May/16

Status: Resolved
Project: OpenAM
Component/s: rest
Affects Version/s: 12.0.2, 13.0.0
Fix Version/s: 12.0.4, 13.5.0

Type: Bug Priority: Minor
Reporter: Sachiko Wallace Assignee: Quentin CASTEL [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: 5h
Time Spent: 2h
Original Estimate: 7h

Target Version/s:
Sprint: AM Sustaining Sprint 21, AM Sustaining Sprint 22
Support Ticket IDs:
QA Assignee: Filip Kubáň [X] (Inactive)
Verified Version/s:

 Description   

1. retrieve authId from /authenticate endpoint

$ curl --request POST --header "Content-Type: application/json"
 https://openam.example.com:8443/openam/json/authenticate
{
    "authId": "...jwt-value...",
     :
}

2. fill in JSON form and submit with authId

$ curl --request POST --header "Content-Type: application/json"
 --data '{ "authId": "...jwt-value...", "template": "", "stage": "DataStore1", "callbacks": [ { "type": "NameCallback", "output": [ { "name": "prompt", "value": " User Name: " } ], "input": [ { "name": "IDToken1", "value": "demo" } ] }, { "type": "PasswordCallback", "output": [ { "name": "prompt", "value": " Password: " } ], "input": [ { "name": "IDToken2", "value": "changeit" } ] } ] }'
 https://openam.example.com:8443/openam/json/authenticate
{ "tokenId": "AQIC5wM2...U3MTE4NA..*", "successUrl": "/openam/console" }

3. logout using token obtained in step 2

$ curl --request POST --header "iplanetDirectoryPro: AQIC5wM2...U3MTE4NA..*" "https://openam.example.com:8443/openam/json/sessions/?_action=logout"
{"result":"Successfully logged out"}

4. use the same token to do session upgrade

$ curl --request POST "https://openam.example.com:8443/openam/json/authenticate??sessionUpgradeSSOTokenId=AQIC5wM2...U3MTE4NA..*
{"code":400,"reason":"Bad Request","message":"Session Upgrade fails since user is different than original authenticated user"}

It is not user friendly process flow that OpenAM asks for callbacks, validate provided callbacks and then break saying that "Session Upgrade fails since user is different than original authenticated user" producing number of collateral errors in the debug log when trying to log information with invalid token.

expected output

An error telling you that the token is invalid. In addition, this check needs to be done earlier in the process, so we don't pollute the debug logs with unnecessary errors.

Current output

You get the error "

{"code":400,"reason":"Bad Request","message":"Session Upgrade fails since user is different than original authenticated user"}

" which is a consequence of not checking the token earlier. In consequence, you get a few errors related to this, that you shouldn't not have.



 Comments   
Comment by Filip Kubáň [X] (Inactive) [ 29/Sep/16 ]

Verified on: OpenAM 12.0.4-RC5 Build 8f3551671e (2016-September-19 17:53)

Generated at Wed Nov 25 05:28:38 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.